How the Heartbleed Bug Got Its Own Logo & Website

♠ Posted by Emmanuel in ,, at 5/02/2014 06:00:00 AM
Ah, fun with Photoshop and someone else's logo.
Something that's piqued my curiosity about the Heartbleed virus which is designed to, well, bleed through security layers is that it's always presented with a catchy logo in the media. Think about it for a moment: why would someone lend a corporate image to a thing as deplorable as a virus? Nobody ever thought of providing a catchy logo for, say, demented livestock for mad cow disease or virus-bestriding poultry for SARS. But there it is again and again for this computer virus: a heart whose edges are bleeding.

As it turns out, this is by design. Codenomicon, an Internet security firm whose services involve testing the robustness of security solutions for online transactions, has been behind it all. Indeed, I wasn't even aware that they've put up a site describing the security vulnerabilities exploited by this virus. The kicker, though, is of course Codenomicon's freely distributed logo. It's sheer marketing genius! The virus's name matches the logo, and the alarm the firm has raised about the virus surely drives business their way from the street cred gained from discovering it in the first place.

So partly it's Codenomicon making money out of their discovery. Again, there's nothing essentially wrong with that. Yet there's also a public service component in warning the rest of the world about it. How did Codenomicon attract attention to the virus? Through naming and branding, of course:
The Heartbleed flaw is being fixed more quickly because of the decision to give the bug a memorable name and a cute logo, according to the firm that first identified it. The flaw was caused by a simple coding error which resulted in passwords and security credentials being leaked from affected websites. "I really believe that the name and the logo and the website helped fuel the community interest in this," says David Chartier, the CEO of Codenomicon, the security testing firm which found the bug on 3 April.

"The IT community and the press have been important players in getting the word out, and so many people affected have fixed their stuff already," Chartier added. "This went extremely quick, and I think that the fact that it it had a name, had a catchy logo that people remember, really helped fuel the speed with which people became aware of this." Others agree. "The Heartbleed logo is probably one of the highest ROI [return on investment] uses of [approximately] $200 in the history of software security," writes Patrick McKenzie, founder of Kalzumeus Software.
Again, marketing matters:
"Why spend the extra money for a logo? Because it suggests professionalism and dedicated effort, because it will be used exhaustively in media coverage of the vulnerability, because it further deepens the branding association of the vulnerability, the name, the logo, and the canonical web presence, and because it also suggests danger." The logo, as well as the accompanying website which explained in readable English exactly what Heartbleed entailed, were both created in the days between Codenomicon warning authorities of the bug and it being officially patched.
Readers with a background in business management will recognize the use of marketing concepts to encourage prosocial behavior: social marketing. What Codenomicon did was make Heartbleed seem even more of a threat than it may be by promoting awareness of its potentially dire effects, like SARS and MERS rolled into one for natural, not programming, analogies. Here's a short blurb describing social marketing in more detail from a health perspective:
Social marketing was "born" as a discipline in the 1970s, when Philip Kotler and Gerald Zaltman realized that the same marketing principles that were being used to sell products to consumers could be used to "sell" ideas, attitudes and behaviors. Kotler and Andreasen define social marketing as "differing from other areas of marketing only with respect to the objectives of the marketer and his or her organization. Social marketing seeks to influence social behaviors not to benefit the marketer, but to benefit the target audience and the general society." This technique has been used extensively in international health programs, especially for contraceptives and oral rehydration therapy (ORT), and is being used with more frequency in the United States for such diverse topics as drug abuse, heart disease and organ donation.

Like commercial marketing, the primary focus is on the consumer--on learning what people want and need rather than trying to persuade them to buy what we happen to be producing. Marketing talks to the consumer, not about the product. The planning process takes this consumer focus into account by addressing the elements of the "marketing mix." This refers to decisions about 1) the conception of a Product, 2) Price, 3) distribution (Place), and 4) Promotion. These are often called the "Four Ps" of marketing...
My takeway? Again, design matters in making your message heard. Hence my recent blog redesign. Perhaps I'd still retain some readers if the IPE Zone looked as amateurish as the Drudge Report, but I sincerely doubt the message would come across.

UPDATE: Eric Levenson of Atlantic's The Wire demurs, however, pointing out that ordinary users did not go out of their way to change passwords despite widespread awareness of this bug. Point taken: I think it's mostly enterprises that reacted.